Sometimes during a computer forensic investigation, we need to virtualize our image disk, because it could be useful for checking or finding something of interest.

If we need to virtualize a disk image file, we can:

Convert the image file in VDI/VMDK

Use GNU/Linux and XMount

The first point is very space and time consuming, indeed if we have a disk image of 1Tb in size, we need another 1Tb to store the VDI/VMDK virtual disk for feeding our Virtual Machine and the conversion process is time wasting.

In GNU/Linux we can use XMount which is very comfortable because we don’t need to convert the image file in Virtual Disk file format, it “allows you to convert on-the-fly between multiple input and output harddisk image types. Xmount creates a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image.“

“In addition, xmount also supports virtual write access to the output files that is redirected to a cache file.“

If we are working in MS Windows, we don’t have a corresponding tool, so I decided to study a method to do it.

The steps are these:

We need to have a Physical disk in Windows, starting from a disk image file.

We need the virtual write access redirected to an external cache file, for not changing the image file.

We need a special command for creating a virtual representation of the input image for an on-the-fly conversion.

All those points can be reached by manually running some tools and commands: